orb-community · etaques · Jan 19, 2024 · Jan 19, 2024 · Jan 19, 2024 · Jan 19, 2024
diff --git a/charts/orb/.helmignore b/charts/orb/.helmignore
@@ -4,6 +4,7 @@
 .DS_Store
 # Common VCS dirs
 .git/
+issuers/
 .gitignore
 .bzr/
 .bzrignore

diff --git a/charts/orb/Chart.yaml b/charts/orb/Chart.yaml
@@ -10,7 +10,7 @@ name: orb
 description: Orb Observability Platform
 icon: https://avatars1.githubusercontent.com/u/13207490
 type: application
-version: 1.0.54
+version: 1.0.55
 appVersion: "0.27.0"
 home: https://getorb.io
 sources:

diff --git a/charts/orb/README.md b/charts/orb/README.md
@@ -25,10 +25,11 @@ helm repo update
 helm dependency update
 ```
 
-* Create `orb` namespace
+* Create `orb` and `otelcollectors` namespace
 
 ```
 kubectl create namespace orb
+kubectl create namespace otelcollectors
 ```
 
 * Create JWT signing key secret
@@ -44,7 +45,7 @@ kubectl create secret generic orb-sinks-encryption-key --from-literal=key=mainfl
 
 * Create keto dsn secret
 ```
-kubectl create secret generic orb-keto-dsn --from-literal=dsn='postgres://postgres:password@db.host.com:5432/keto' -n orb
+kubectl create secret generic orb-keto-dsn --from-literal=dsn='postgres://postgres:orb@orb-postgresql-keto:5432/keto' -n orb
 ```
 
 * Create admin user secrets
@@ -53,12 +54,28 @@ kubectl create secret generic orb-keto-dsn --from-literal=dsn='postgres://postgr
 kubectl create secret generic orb-user-service --from-literal=adminEmail=user@example.com --from-literal=adminPassword=12345678 -n orb
 ```
 
+* Install orb. Replace `orb` with your helm release name, also set your HOSTNAME as a valid domain to expose service properly, remember that should generate a certificate for that.
+Check the [optional variables](#optional-variables-to-set) for more options. 
+
+```
+helm install --set ingress.hostname=HOSTNAME -n orb orb .
+```
+
+On <b>AWS EKS</b>: 
+Once that you can update your ingress controller (AWS LoadBalancer) using helm, a good solution could be you open the MQTT port on the cluster loadbalancer and redirect it to <b>orb-nginx-internal</b> pod as below:
 * Deploy [ingres-nginx helm](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) (to default namespace) with
   tcp config map configured from helm for 8883 (MQTTS). Note you need to reference both namespace and helm release name
   here!
 
 ```
-helm install --set tcp.8883=orb/my-orb-nginx-internal:8883 ingress-nginx ingress-nginx/ingress-nginx
+helm install --set tcp.8883=orb/orb-nginx-internal:8883 ingress-nginx ingress-nginx/ingress-nginx
+```
+
+On <b>On-Premise kubernetes cluster</b>: 
+The best approach is use nginx-internal as service type LoadBalancer on your values.yaml to expose your MQTT port externally
+
+```
+helm install --set tcp.8883=orb/orb-nginx-internal:8883 ingress-nginx ingress-nginx/ingress-nginx
 ```
 
 * Wait for an external IP to be available
@@ -76,16 +93,38 @@ helm install cert-manager jetstack/cert-manager --namespace cert-manager --creat
 ```
 
 * Create Issuer CRDs (in the `orb` namespace!)
-  * `cp issuers/production-issuer-tpt.yaml issuers/production-issuer.yaml`
-  * edit `issuers/production-issuer.yaml` and change `spec.acme.email` to a real email address
-  * `kubectl create -f issuers/production-issuer.yaml -n orb`
 
-* Install orb. Replace `my-orb` with your helm release name.
-Check the [optional variables](#optional-variables-to-set) for more options. 
+If you are using nginx as ingress controller:
+```
+cp issuers/production-issuer-nginx.yaml issuers/production-issuer.yaml
+```
+If you are using traefik as ingress controller:
+```
+cp issuers/production-issuer-traefik.yaml issuers/production-issuer.yaml
+```
+* edit `issuers/production-issuer.yaml` and change `spec.acme.email` to a real email address
+```
+kubectl apply -f issuers/production-issuer.yaml -n orb
+```
+* Create Certificate (in the `orb` namespace!)
+```
+kubectl apply -f issuers/production-issuer.yaml -n orb
+```
+
+To restart entire deployment:
+
+```
+kubectl rollout restart deployment -n orb
+```
+
+## Known-bug:
+Sometimes on the first run, postgres can have a problem to seed your password. To fix this, you have to manually remove the persistent volume claim (PVC) which will free up the database storage.
 
 ```
-helm install --set ingress.hostname=HOSTNAME -n orb my-orb .
+kubectl delete pvc data-my-db-postgresql-0
 ```
+(Or whatever the PVC associated with your initial Helm install was named.)
+After remove the pvc, you need to restart the respective pod.
 
 ### Optional variables to set
 - **SMTP**
@@ -96,4 +135,4 @@ helm install --set ingress.hostname=HOSTNAME -n orb my-orb .
   - `smtp.fromName`: E-mail sender display name. Defaults to `Orb`.
   - `smtp.fromAddress`: E-mail address of the sender.
   - `smtp.usernmame`: username used when authenticating to the SMTP server used for sending e-emails. 
-  - `smtp.password`: password used when authenticating to the SMTP server used for sending e-emails.
+  - `smtp.password`: password used when authenticating to the SMTP server used for sending e-emails.
diff --git a/charts/orb/issuers/certificate.yaml b/charts/orb/issuers/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: orb-tls
+  namespace: orb
+spec:
+  dnsNames:
+    - orb.example.com
+  secretName: orb-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
diff --git a/...ts/orb/issuers/production-issuer-tpt.yaml → .../orb/issuers/production-issuer-nginx.yaml b/...ts/orb/issuers/production-issuer-tpt.yaml → .../orb/issuers/production-issuer-nginx.yaml
diff --git a/charts/orb/issuers/production-issuer-traefik.yaml b/charts/orb/issuers/production-issuer-traefik.yaml
@@ -0,0 +1,24 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: user@example.com
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            class: traefik
+            ingressTemplate:
+              metadata:
+                annotations:
+                  traefik.ingress.kubernetes.io/router.entrypoints: "web"
+                  traefik.ingress.kubernetes.io/router.tls: "false"
+                  traefik.ingress.kubernetes.io/router.priority: "42"
diff --git a/charts/orb/templates/ingress.yaml b/charts/orb/templates/ingress.yaml
@@ -1,6 +1,6 @@
 # Copyright (c) Mainflux
 # SPDX-License-Identifier: Apache-2.0
-
+{{- if eq .Values.ingress.ingressClassName "nginx" }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -34,6 +34,8 @@ spec:
         - {{ .Values.ingress.hostname }}
       secretName: {{ .Values.ingress.secret }}
 ---
+{{- end }}
+{{- if eq .Values.ingress.ingressClassName "nginx" }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -122,3 +124,113 @@ spec:
     - hosts:
         - {{ .Values.ingress.hostname }}
       secretName: {{ .Values.ingress.secret }}
+{{- end }}
+{{- if eq .Values.ingress.ingressClassName "traefik" }}
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: orb-stripprefix
+  namespace: {{ .Release.Namespace }}
+spec:
+  stripPrefix:
+    prefixes:
+      - /api/v1
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  annotations:
+  {{- if .Values.ingress.annotationsTraefik }}
+    {{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
+  {{- end }}
+  name: {{ .Release.Name }}-traefik-ingress
+  namespace: {{ .Release.Namespace }}
+spec:
+  entryPoints:
+    - web
+    - websecure
+  routes:
+    - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/users`)
+      kind: Rule
+      services:
+        - name: {{ .Release.Name }}-users
+          port: {{ .Values.users.httpPort }}
+      middlewares:
+        - name: orb-stripprefix
+    - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/password`)
+      kind: Rule
+      services:
+        - name: {{ .Release.Name }}-users
+          port: {{ .Values.users.httpPort }}
+      middlewares:
+        - name: orb-stripprefix
+    - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/tokens`)
+      kind: Rule
+      services:
+        - name: {{ .Release.Name }}-users
+          port: {{ .Values.users.httpPort }}
+      middlewares:
+        - name: orb-stripprefix
+    - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/keys`)
+      kind: Rule
+      services:
+        - name: {{ .Release.Name }}-auth
+          port: {{ default .Values.auth.httpPort }}
+      middlewares:
+        - name: orb-stripprefix
+    - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agents`)
+      kind: Rule
+      services:
+        - name: {{ .Release.Name }}-fleet
+          port: {{ default .Values.fleet.httpPort }}
+      middlewares:
+        - name: orb-stripprefix
+    - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agent_groups`)
+      kind: Rule
+      services:
+        - name: {{ .Release.Name }}-fleet
+          port: {{ default .Values.fleet.httpPort }}
+      middlewares:
+        - name: orb-stripprefix
+    - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/sinks`)
+      kind: Rule
+      services:
+        - name: {{ .Release.Name }}-sinks
+          port: {{ default .Values.sinks.httpPort }}
+      middlewares:
+        - name: orb-stripprefix
+    - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/policies`)
+      kind: Rule
+      services:
+        - name: {{ .Release.Name }}-policies
+          port: {{ default .Values.policies.httpPort }}
+      middlewares:
+        - name: orb-stripprefix
+    - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/sinks`)
+      kind: Rule
+      services:
+        - name: {{ .Release.Name }}-sinks
+          port: {{ default .Values.sinks.httpPort }}
+      middlewares:
+        - name: orb-stripprefix
+    - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/authenticationtypes`)
+      kind: Rule
+      services:
+        - name: {{ .Release.Name }}-sinks
+          port: {{ default .Values.sinks.httpPort }}
+      middlewares:
+        - name: orb-stripprefix
+    - match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/version`)
+      kind: Rule
+      services:
+        - name: {{ .Release.Name }}-fleet
+          port: {{ .Values.fleet.httpPort }}
+    - match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: {{ .Release.Name }}-ui
+          port: {{ .Values.ui.port }}
+  tls:
+    secretName: {{ .Values.ingress.secret }}
+{{- end }}
diff --git a/charts/orb/templates/maestro-deployment.yaml b/charts/orb/templates/maestro-deployment.yaml
@@ -18,7 +18,7 @@ spec:
         app: {{ .Release.Name }}
         component: maestro
     spec:
-      serviceAccountName: k8s-maestro-role
+      serviceAccountName: {{ .Values.maestro.rbac.serviceAccountName }}
       containers:
         - env:
             - name: ORB_SINKS_SECRET_KEY

diff --git a/charts/orb/templates/maestro-service-account.yaml b/charts/orb/templates/maestro-service-account.yaml
@@ -2,32 +2,74 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.maestro.rbac.serviceAccountName }}
+  name: k8s-maestro-sa
+{{- if .Values.maestro.rbac.createServiceAccountTokenSecret }}
+secrets:
+  - name: {{ .Release.Name }}-maestro-k8s-secret
+{{ end }}
+{{- if .Values.maestro.rbac.createServiceAccountTokenSecret }}
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-maestro-k8s-secret
+  annotations:
+    kubernetes.io/service-account.name: k8s-maestro-sa
+type: kubernetes.io/service-account-token
+{{ end }}
 {{- if .Values.maestro.rbac.ClusterRoleBindingCreate }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: maestro-cluster-role
+  # "namespace" omitted since ClusterRoles are not namespaced
+rules:
+  - apiGroups: [""]
+    resources: ["*"]
+    verbs: ["*"]
+  - apiGroups: ["extensions"]
+    resources: ["*"]
+    verbs: ["*"]
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ .Values.maestro.rbac.serviceAccountName }}
+  name: k8s-maestro-rb
 subjects:
 - kind: ServiceAccount
-  name: {{ .Values.maestro.rbac.serviceAccountName }}
+  name: k8s-maestro-sa
   namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
 roleRef:
   kind: ClusterRole
-  name: {{ .Values.maestro.rbac.ClusterRole }}
+  name: maestro-cluster-role
   apiGroup: rbac.authorization.k8s.io
 {{ else }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+    name: maestro-role
+    namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["*"]
+    verbs: ["*"]
+  - apiGroups: ["extensions"]
+    resources: ["*"]
+    verbs: ["*"]
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ .Values.maestro.rbac.serviceAccountName }}
+  name: k8s-maestro-rb
   namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
 subjects:
 - kind: ServiceAccount
-  name: {{ .Values.maestro.rbac.serviceAccountName }}
+  name: k8s-maestro-sa
+  namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
 roleRef:
-  kind: ClusterRole
-  name: {{ .Values.maestro.rbac.ClusterRole }}
+  kind: Role
+  name: maestro-role
   apiGroup: rbac.authorization.k8s.io
 {{ end }}